SSU cyber specialists unmasked the deliberate malware distribution by the Russian special services. The customers were about to hit the computer networks of public authorities, self-local governments and critical infrastructure facilities.

The SSU established that in early June 2020, mass spam was sent with the sender's address changed. In particular, the e-mails, which contained malicious attachments, were sent to a number of government agencies allegedly from the Kyiv Patrol Police Department.

Malicious software launches the installation of the client part of the program (Remote Administration Tool) on the affected computer. Thus, the foreign intelligence service can monitor PC activity remotely. In addition, control and command servers have been installed, including in Russia.

SSU cyber experts recommend an urgent audit of information and telecommunications systems, in particular using indicators published in the MISP-UA Platform to identify its alleged compromise and take appropriate measures.

Compromise indicators:

C&C servers:

• 178.210.76.171 (Ru-Center, Russia),
• 176.9.64.70 (Hetzner, Germany)
• 185.231.68.230 (Zomro, Netherlands)

Domain name:

• «rmssrv.ru»

The connection is made to ports 5651, 8080 and 81

To clean up the affected computers from the specified SPZ you need:

• to stop the service Remote Utilities - Host
• to delete directory C: \ Program Files (x86) \ Remote Utilities - Host \